
---
title: Network and Security Settings
sidebar_position: 7
version: 1
---

# Network and Security Settings

## CORS

To configure CORS, or cross-origin resource sharing, the following dependency must be installed:

```python
pip install apache-superset[cors]
```

The following keys in `superset_config.py` can be specified to configure CORS:

- `ENABLE_CORS`: Must be set to `True` in order to enable CORS
- `CORS_OPTIONS`: options passed to Flask-CORS
  ([documentation](https://flask-cors.corydolphin.com/en/latest/api.html#extension))


## HTTP headers

Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/)
Self-described as a small Flask extension that handles setting HTTP headers that can help
protect against a few common web application security issues.


## HTML Embedding of Dashboards and Charts

There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard.

### Embedding a Public Direct Link to a Dashboard

This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domains to display Superset content. Then a dashboard can be made publicly accessible, i.e. **bypassing authentication**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML code.

#### Changing flask-talisman CSP

Add to `superset_config.py` the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section:
```python
TALISMAN_ENABLED = True
TALISMAN_CONFIG = {
    "content_security_policy": {
    ...
	"frame-ancestors": ["*.my-domain.com", "*.another-domain.com"],
    ...
```
Restart Superset for this configuration change to take effect.

#### Making a Dashboard Public

1. Add the `'DASHBOARD_RBAC': True` [Feature Flag](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) to `superset_config.py`
2. Add the `Public` role to your dashboard as described [here](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards)

#### Embedding a Public Dashboard

Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so:

```html
<iframe
  width="600"
  height="400"
  seamless
  frameBorder="0"
  scrolling="no"
  src="https://superset.my-domain.com/superset/dashboard/10/?standalone=1&height=400"
>
</iframe>
```
#### Embedding a Chart

A chart's embed code can be generated by going to a chart's edit view and then clicking at the top right on `...` > `Share` > `Embed code`

### Enabling Embedding via the SDK

Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard".

To enable this entry, add the following line to the `.env` file:

```text
SUPERSET_FEATURE_EMBEDDED_SUPERSET=true
```

## CSRF settings

Similarly, [flask-wtf](https://flask-wtf.readthedocs.io/en/0.15.x/config/) is used manage
some CSRF configurations. If you need to exempt endpoints from CSRF (e.g. if you are
running a custom auth postback endpoint), you can add the endpoints to `WTF_CSRF_EXEMPT_LIST`:


## SSH Tunneling

1. Turn on feature flag
    - Change [`SSH_TUNNELING`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L489) to `True`
    - If you want to add more security when establishing the tunnel we allow users to overwrite the `SSHTunnelManager` class [here](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L507)
    - You can also set the [`SSH_TUNNEL_LOCAL_BIND_ADDRESS`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L508) this the host address where the tunnel will be accessible on your VPC

2. Create database w/ ssh tunnel enabled
    - With the feature flag enabled you should now see ssh tunnel toggle.
    - Click the toggle to enable SSH tunneling and add your credentials accordingly.
        - Superset allows for two different types of authentication (Basic + Private Key). These credentials should come from your service provider.

3. Verify data is flowing
    - Once SSH tunneling has been enabled, go to SQL Lab and write a query to verify data is properly flowing.


## Domain Sharding

Chrome allows up to 6 open connections per domain at a time. When there are more than 6 slices in
dashboard, a lot of time fetch requests are queued up and wait for next available socket.
[PR 5039](https://github.com/apache/superset/pull/5039) adds domain sharding to Superset,
and this feature will be enabled by configuration only (by default Superset doesn’t allow
cross-domain request).

Add the following setting in your `superset_config.py` file:

- `SUPERSET_WEBSERVER_DOMAINS`: list of allowed hostnames for domain sharding feature.

Please create your domain shards as subdomains of your main domain for authorization to
work properly on new domains. For Example:

- `SUPERSET_WEBSERVER_DOMAINS=['superset-1.mydomain.com','superset-2.mydomain.com','superset-3.mydomain.com','superset-4.mydomain.com']`

or add the following setting in your `superset_config.py` file if domain shards are not subdomains of main domain.

- `SESSION_COOKIE_DOMAIN = '.mydomain.com'`

## Middleware

Superset allows you to add your own middleware. To add your own middleware, update the
`ADDITIONAL_MIDDLEWARE` key in your `superset_config.py`. `ADDITIONAL_MIDDLEWARE` should be a list
of your additional middleware classes.

For example, to use `AUTH_REMOTE_USER` from behind a proxy server like nginx, you have to add a
simple middleware class to add the value of `HTTP_X_PROXY_REMOTE_USER` (or any other custom header
from the proxy) to Gunicorn’s `REMOTE_USER` environment variable:
